X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/32a423888e0d6b5254c55e4faf418b31749dc69e..45dde9418dd342bb1a632d82559201c0b3becf1a:/cookbooks/kibana/recipes/default.rb

diff --git a/cookbooks/kibana/recipes/default.rb b/cookbooks/kibana/recipes/default.rb
index 788e95513..c2e2693b3 100644
--- a/cookbooks/kibana/recipes/default.rb
+++ b/cookbooks/kibana/recipes/default.rb
@@ -1,15 +1,14 @@
-# coding: utf-8
 #
-# Cookbook Name:: kibana
+# Cookbook:: kibana
 # Recipe:: default
 #
-# Copyright 2015, OpenStreetMap Foundation
+# Copyright:: 2015, OpenStreetMap Foundation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+#     https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
@@ -68,6 +67,11 @@ systemd_service "kibana@" do
   after "network.target"
   user "kibana"
   exec_start "/opt/kibana-#{version}/bin/kibana -c /etc/kibana/%i.yml"
+  private_tmp true
+  private_devices true
+  protect_system "full"
+  protect_home true
+  no_new_privileges true
   restart "on-failure"
 end
 
@@ -79,7 +83,7 @@ node[:kibana][:sites].each do |name, details|
                         "elasticsearch_url" => details[:elasticsearch_url],
                         "pid_file" => "/var/run/kibana/#{name}.pid",
                         "log_file" => "/var/log/kibana/#{name}.log"
-    ))
+                      ))
     owner "root"
     group "root"
     mode 0o644
@@ -89,6 +93,7 @@ node[:kibana][:sites].each do |name, details|
   service "kibana@#{name}" do
     action [:enable, :start]
     supports :status => true, :restart => true, :reload => false
+    subscribes :restart, "systemd_service[kibana@]"
   end
 
   ssl_certificate details[:site] do